SUBJECT AND PURPOSE OF THE PROCESSING

Associazione Kòres (hereinafter also referred to as the “Data Controller”) informs you that it will process the personal data of users over the age of 14, specifically: full name, gender, age, email address, city of origin, nickname, and geolocation data (GPS-based), solely for the purpose of registering on the “Villaggio Leumann” mobile application (hereinafter, the “Application”) and using the services and multimedia content relating to the thematic routes provided.

Specifically, the personal data provided by users over the age of 18 will be processed for the following purposes:

a) To allow users to register an account in the Application and access multimedia content during the guided tour using geofencing technology;

b) To allow participation in interactive quizzes and related activities that award points contributing to a monthly automated ranking system;

c) To enable the sharing of images and media via the official Instagram profile of Villaggio Leumann.

With regard to users under the age of 18 but over the age of 14, the Data Controller shall process only the user’s nickname and geolocation data, through a simplified procedure and upon prior consent from the holder of parental responsibility (parent or guardian), pursuant to Article 3 of the Terms and Conditions of Use of the Application (to which full reference is hereby made).

Specifically, processing will be carried out for the following purposes:

d) To enable access to multimedia content during the guided visit using geofencing technology, in simplified mode;
e) To allow participation in interactive quizzes and the accumulation of points within the monthly ranking system.

This privacy notice applies exclusively to the Application and does not apply to any other applications, websites and/or portals accessible through external links, for which the Data Controller assumes no responsibility.

Any personal data collected automatically or otherwise provided during navigation shall be processed solely for access control purposes and/or for improving the functionality of the Application, with the aim of ensuring an optimal user experience.

LEGAL BASIS FOR PROCESSING

The provision of personal data by the user or by the holder of parental responsibility (parent or guardian), as set out above, is based on the following legal grounds:

For users over the age of 18:

• Article 6(1)(a) of the GDPR: the data subject has given explicit, freely given, specific, informed and revocable consent, which is necessary to fulfil the purposes listed under points a), b), and c). Without such consent, the use of the Application’s functionalities will not be possible. In any case, consent may be withdrawn at any time, with immediate effect on the activities and services previously enabled.

For users under the age of 18 but over the age of 14:

• Article 6(1)(a) of the GDPR: the explicit, freely given, specific, informed and revocable consent of the holder of parental responsibility (parent or guardian), acquired through the relevant educational institution, is required to fulfil the purposes indicated under points d) and e). Without such consent, the use of the Application’s functionalities will not be possible. Consent may be withdrawn at any time by the holder of parental responsibility, with immediate effect on the activities and services previously enabled.

The processing of personal data shall be carried out in accordance with the principles of lawfulness, fairness, transparency, necessity and data minimisation, in compliance with Article 5 of the GDPR.

METHODS OF PROCESSING

The processing of personal data will be carried out through the operations listed in Article 4(2) of the GDPR, specifically: “collection, recording, organisation, storage, consultation, adaptation or alteration, retrieval, use, alignment or combination, restriction, erasure or destruction”

The personal data provided will be subject to automated processing for the time strictly necessary to achieve the purposes for which they were collected, using technical and organisational measures designed to prevent data loss, unlawful or improper use, and unauthorised access, and to ensure a level of security appropriate to the risk, pursuant to Article 32 of the GDPR. Processing shall be carried out by duly authorised personspursuant to Article 29 of the GDPR, including employees and/or collaborators of the Data Controller acting as authorised personnel and/or system administrators. These individuals may carry out consultation, use, processing, comparison, and other operations in compliance with legal obligations, ensuring confidentiality, security, accuracy, and relevance of the data in line with the declared purposes. In accordance withArticle 13(1)(e) of the GDPR, personal data will not be disclosed or communicated to third parties except to authorised data processors pursuant to Article 28 of the GDPR, or to independent data controllers when strictly necessary for technical or maintenance-related purposes, such as hosting service providers or appointed technical staff.

GEOLOCATION FEATURES and COMPLIANCE with Regulation (EU) 2018/302

The use of geolocation technologies within the Application is carried out in full compliance with Regulation (EU) 2018/302, aimed at preventing unjustified geo-blocking and other forms of discrimination based on nationality, place of residence or place of establishment of users within the internal market.

The Application provides users with a free service intended exclusively for educational and touristic purposes. Accordingly, no products or services are sold or transferred for consideration, and, in any case, the Application does not restrict or condition access to its services andcontent based on the user’s geographical location, nor does it apply different general conditions of access based on nationality or residence.

The geolocation functionality is activated solely upon the user’s express consent, which is granted directly through the settings of the user’s device, pursuant to Articles 6 and 7 of Regulation (EU) 2016/679 (GDPR). Such consent enables the delivery of location-based content (e.g.,multimedia materials relating to nearby points of interest) and supports the technical functioning of the Application. The user may at any time withdraw consent and disable geolocation via the device’s settings, without prejudice to the ability to continue using the Application, although some features may be limited or unavailable.

RECIPIENTS OF PERSONAL DATA

In relation to the purposes outlined above, personal data may be disclosed to the following entities and/or categories of entities, or to companies and/or individuals who provide services, including external services, on behalf of the Data Controller.

For greater clarity, and by way of example but not limited to, such entities may include: parties who perform control, audit and certification activities on behalf of the company, potentially also in the interest of users; service providers responsible for the management of IT systemsand telecommunications networks; competent authorities and/or Supervisory Bodies for the fulfilment of legal obligations; entities carryingout control, audit and certification tasks with respect to the activities performed by the Data Controller, acting either as external data processors pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR), or as independent data controllers separate from the Data Controller.

The Data Controller informs you that, as a general rule, personal data will not be transferred to a third country outside the European Union, nor to any international organisation established outside the EU. Should such a transfer become necessary for any reason, the Data Controller hereby ensures in advance that any such transfer will be carried out in full compliance with applicable legal provisions and, in particular, in accordance with Articles 44, 45, 46, 47, 48 and 49 of the GDPR, as well as any other relevant legislation.

DATA RETENTION PERIOD

In compliance with the principles of lawfulness, purpose limitation, storage limitation and data minimisation pursuant to Article 5 of Regulation (EU) 2016/679 (GDPR), the retention period for personal data — specifically, the data relating to users over the age of 18 — is established for a duration not exceeding the time strictly necessary for the achievement of the purposes for which the data are collected and processed, and  no later than 24 (twenty-four) months from the last access to the Application, and anyway for the entire duration of the fulfilment of the aforementioned purposes, Once the purposes of the processing have been fulfilled, the data shall be erased from all digital storage media, without prejudice to further retention for statistical purposes and for the drafting of internal reports by the Association, provided that such processing is carried out following an anonymisation procedure.

With regard to data concerning users under the age of 18 but over the age of 14, the personal data processed shall be used exclusively during the course of the use of the Application and shall not be stored thereafter.

AUTOMATED DECISION-MAKING AND PROFILING

The Data Controller hereby informs the data subject and/or the holder of parental responsibility (parent or guardian) that no automateddecision-making processes are used in relation to the processing of personal data. That is, no decisions are taken based solely on automated processing without human involvement, as defined in Article 22 of the GDPR. Furthermore, the Data Controller does not engage in profilingactivities, i.e., any form of automated processing of personal data intended to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, etc

RIGHTS OF THE DATA SUBJECT

RIGHT OF ACCESS (Article 15 GDPR) AND RIGHT TO RECTIFICATION (Article 16 GDPR)

As a data subject, pursuant to Article 15 of Regulation (EU) 2016/679 (GDPR), the user and/or the holder of parental responsibility (parent(s)/guardian) has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are beingprocessed, and, where that is the case, access to such data and to all the information referred to in Article 15(1), letters (a) to (h) of the GDPR.

They also have the right to receive a copy of the personal data undergoing processing, in a structured, commonly used, machine-readable and interoperable format.

Pursuant to Article 16 of the GDPR, the user and/or the holder of parental responsibility (parent(s)/guardian) also has the right to obtain from the Data Controller, without undue delay, the rectification and/or completion of personal data if such data are found to be out of date and/or inaccurate and/or incomplete.

Right to erasure (Article 17 GDPR) and Right to restriction of processing (Article 18 GDPR)

As a data subject, the user and/or the holder of parental responsibility (parent(s)/guardian) has the right to obtain from the Data Controller theerasure of personal data concerning them without undue delay, but only in the cases provided for under Article 17(1), letters (a) to (f) of the GDPR, with the exception of the cases specifically set out in Article 17(3).

Pursuant to Article 18(1), letters (a) to (d) of the GDPR, the user and/or the holder of parental responsibility (parent(s)/guardian) also has the right to request and obtain from the Data Controller the restriction of processing of their personal data, meaning that such data shall not be subject to further processing and may no longer be modified.

The Data Controller shall ensure that the restriction of processing is implemented by means of appropriate technical measures that guarantee the inaccessibility and immutability of the data.

Right to Data Portability (Article 20 GDPR)

As a data subject, the user and/or the holder of parental responsibility (parent(s)/guardian) has the right, pursuant to Article 20 of the GDPR, to receive from the Data Controller the personal data concerning them which they have provided, where the processing is carried out by automatedmeans, in a structured, commonly used and machine-readable format. They also have the right to transmit such data to another data controller,or to request, where technically feasible, the direct transmission of such data from the Data Controller to another specific data controller.

Right to Object (Article 21 GDPR)

As a data subject, the user and/or the holder of parental responsibility (parent(s)/guardian) has the right to object at any time, on grounds relatingto their particular situation, to the processing of personal data concerning them, in the cases where the processing (1) is necessary for the performance of a task carried out in the public interest and/or in the exercise of official authority vested in the Data Controller; (2) is based on the legitimate interests pursued by the Data Controller or by a third party;(3) includes profiling activities conducted on the basis of the above grounds.

The user and/or the holder of parental responsibility (parent(s)/guardian) also has the right to object to the processing of their personal data on grounds relating to their particular situation, where such data are processed for purposes of scientific or historical research or for statistical purposes, pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

PROCEDURES FOR EXERCISING DATA SUBJECT RIGHTS

The user and/or the holder of parental responsibility (parent(s)/guardian) may exercise the rights listed above by submitting a request to the following email address: infokores@gmail.com.

The Data Controller shall confirm receipt of the request and shall provide the user and/or the holder of parental responsibility (parent(s)/guardian) with information concerning the action taken in relation to the exercise of their rights under Articles 15 to 22 ofRegulation (EU) 2016/679 (GDPR), within 1 (one) month from the date of receipt of the request. Where necessary, taking into account the complexity and number of requests, the Data Controller may extend this period by 2 (two) additional months, provided that it notifies the user and/or the holder of parental responsibility (parent(s)/guardian) of such extension and the reasons for the delay within 1 (one) month of receipt of the request.

The Data Controller shall also communicate any rectification or erasure of personal data or restriction of processing carried out pursuant toArticles 16, 17 and 18 GDPR to each recipient to whom the personal data have been disclosed, as identified under Article 4(1)(9) of the GDPR, unless this proves impossible or involves a disproportionate effort. Following the submission of a request for rectification, erasure, restriction or objection, should the Data Controller have reasonable doubts as to the identity of the user and/or the holder of parental responsibility (parent(s)/guardian), it may request additional information necessary to confirm identity, in accordance with Article 12(6) of the GDPR.

All  communications  regarding  such  requests  shall  be  sent  by  email  from  the  following  address:

infokores@gmail.com.

If the Data Controller fails to act on the request within 1 (one) month of receipt, it shall inform the user and/or the holder of parental responsibility (parent(s)/guardian) of the reasons for such failure, and shall remind them of their right to lodge a complaint with the Supervisory Authority (“Garante per la protezione dei dati personali”), as provided under Article 13(2)(d) and governed by Articles 77 et seq. of the GDPR.

Privacy Policy EN

Termini e Condizioni in Italiano